United States: Breach And Cyber Incident Reporting: Disclosure Challenges For Public Companies

Last Updated: August 14 2019
Article by Sanjay M. Shirodkar

One of the big corporate governance related stories last month was the settlement agreement between the Securities and Exchange Commission (SEC) and Facebook Inc. arising from the misuse of Facebook user data and disclosures in Facebook’s public filings. The settlement was the most high-profile recent development in the realm of public company cybersecurity and cyber disclosure – but it was far from the only one we’ve seen in the news lately.

As this issue gains ever more public attention, what incident reporting trends are we seeing that affect public companies? What is the staff of the SEC focusing on in comments related to cybersecurity matters? And what are some of the lessons we have learned that board members and senior management should consider?

This article explores these topics.

The Audit Analytics report

Earlier this year, Audit Analytics published a report taking a deep dive into the trends and statistics of public company cybersecurity and cyber disclosure. The company observed that "[o]ver the past ten years, cybersecurity has become a greater threat for public companies, as both business and commerce have become more dependent on technology. Cyber threats from social engineering schemes to sophisticated programs put customer data, financial accounts, and even proprietary information at risk to third-party access."2

The key findings of the report were:

  • On average, companies discovered a cyber breach 123 days after its occurrence and disclosed the breach after another 44 days.
  • The number of days it takes to uncover a breach varies depending on industry, type of breach, and type of information compromised.
  • Only about 50 percent of firms that disclosed a breach provided information on the type of attack that occurred.
  • 70 percent of affected companies disclosed one cyber breach and about 30 percent disclosed multiple breaches.
  • For public companies, service and manufacturing sectors had the greatest number of disclosed cyberattacks.3

SEC comments

Listed below are a few comments4 issued by the staff of the Division of Corporation Finance at the SEC on these topics. These well illustrate staff concerns:

  • We note your disclosure that you continue to face a host of cyber threats; your disclosure that cyber-crimes and denial of service attacks have increased; and your identification of cyber-attacks as a key risk. Please clarify whether you have knowledge of the occurrence of any such attacks in the past. If attacks have occurred, and were material either individually or in the aggregate, revise to discuss the related costs and consequences. Also, describe the particular aspects of your business and operations that give rise to material cybersecurity risks and the potential costs and other consequences of such risks to those businesses and operations. For additional guidance, please refer to CF Disclosure Guidance Topic No. 2 on Cybersecurity.
  • In this risk factor you discuss the potential impact of operational risks. Have you suffered any significant losses or other damages as a result of operational risks, or has your controls testing indicated that you have a significant deficiency? Please revise to provide a description of any cyber incidents that you have experienced that are individually, or in the aggregate, material, including a description of the costs and other consequences and to provide the investor with an idea of the likelihood that a risk may impact your results and the potential impact on your assets and earnings. Refer to CF Disclosure Guidance: Topic No. 2 and Regulation S-K Item 503(c).
  • We note that your recent acquisition of *** will allow you to accelerate the development of solutions for the *** and for a broader set of industries and markets. We further note that *** percent of your *** were to *** after a flaw in the *** was identified. Please tailor your risk factor disclosure and expand your discussion of cybersecurity issues to discuss the impact of any known trends and uncertainties relating to actual cyber hacks and vulnerabilities.
  • In order for investors to better understand the possible impact that a cyber-security incident might impact your company; please revise this risk factor to discuss any material breaches that have impacted your business or the businesses of your partner firms. For example, we note that *** was subject to an attack in *** that resulted in the loss of $*** in client funds and a fine from your regulators.
  • You disclose in this risk factor that you "have been subject to denial or disruption of service attacks by hackers." Please provide us with additional information regarding the nature and scope of the attacks you reference, including when they occurred and whether they had a material impact on your business either on an individual or aggregate basis. Please tell us your consideration for including a discussion of this incident, including a description of the costs and consequences, in this risk factor and elsewhere in your disclosure, as appropriate. We refer you to the Division of Corporation Finance´s CF Disclosure Guidance: Topic No. 2 for additional guidance.
  • We note your disclosure that during ***, [the company's] computer network was the target of a cyber-attack that you believe was sponsored by a foreign government, designed to interfere with your *** and undermine your reporting. We also note your disclosure that you have implemented controls and taken other preventative actions to further strengthen your systems against future attacks. If the amount of the increased expenditures in cybersecurity protection measures was or is expected to be material to your financial statements, please revise your discussion in MD&A to discuss these increased expenditures. Also, if material, please revise the notes to your financial statements to disclose how you are accounting for these expenditures, including the capitalization of any costs related to internal use software.
  • We note your response to prior *** from our letter to you dated ***. In future filings, beginning with your next Form 10-Q, please provide a separate discussion of the risks posed to your operations from your dependence upon technology or to your business, operations or reputation by cyber attacks or breaches of your cybersecurity. In addition, in order to provide the proper context for your risk factor disclosure, and as you stated in your response letter, please confirm that you will disclose in this revised risk factor that you have experienced occasional actual and attempted breaches of your cybersecurity.

Lessons learned on SEC concerns

Action item:  Materiality is still king. The various guidances published by the SEC and its staff do not implement a new reporting regime or make significant changes to the existing understanding of what is material to a public company.  Not every cyber-related incident will result in some sort of public disclosure.  Issues surrounding a breach, including internal investigations on the topic, can frequently take some time to fully unpack, and it is best to gather information and have a candid discussion with disclosure counsel.

Action item:  Take a hard look at existing disclosure. The SEC comments noted above and the Facebook proceedings make it clear that hypothetical phrasing of events that a company has experienced is problematic.  It is not unusual for the staff of the SEC to review social media and alternative sources for information about new developments. The SEC staff expects companies to disclose cyber incidents that are, individually or in the aggregate, material − including the costs and consequences associated with the incident.

Action item:  It is not all about the Risk Factors. The SEC staff's 2011 guidance on this issue reminded registrants that "a number of disclosure requirements may impose an obligation on registrants to disclose [cybersecurity] risks and [cyber] incidents."5   The SEC staff is also concerned about the following topics:

  • Are there any known trends and uncertainties related to the actual cyber hacks and vulnerabilities?6
  • What is the exact nature and scope of the cyber incidents, including when they occurred and whether they had a material impact on the company's business?
  • What sort of expenditures does the company expect to undertake on its cybersecurity protection measures and would this expenditure have a material impact on the company's financial statements?7

Third-party access to a company's network, customer data or other information is another topic that should be reviewed periodically.

Footnotes

1 Audit Analytics - Trends in Cybersecurity Breach Disclosures (Published March 13, 2019) (available here - http://www.alacrastore.com/storecontent/Audit-Analytics-Trend-Reports/Trends-in-Cybersecurity-Breach-Disclosures-2033-62) (Trends Report).

2 Audit Analytics blog posted on March 18, 2019 (available here - https://blog.auditanalytics.com/trends-in-cybersecurity-breach-disclosures/).

3 Trends Report on page 1.

4 The comments have been revised to redact company-specific information.

5 CF Disclosure Guidance: Topic No. 2, Cybersecurity, Division of Corporation Finance (Oct. 13, 2011),  available athttps://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm (SEC Guidance) on page 2.

6 Registrants are reminded to address cybersecurity risks and related incidents in their MD&A "if the costs or other consequences associated with one or more know incidents or risks of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant's [financial statement] … or would cause reported financial information not to be necessarily indicative of future operating results or financial condition." SEC Guidance on page 3.

7 The SEC staff also reminded registrants that a cyber incident may require disclosure in the Legal Proceedings or Financial Statements.  SEC Guidance on page 3.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions